Skip to end of metadata
Go to start of metadata

The Enterprise Database Edition license level of the MapR distribution for Hadoop enables native storage for MapR Tables. You can set permissions for access to these tables through the MapR Control System (MCS) or with the maprcli table commands. Because MapR Tables are stored at the file-system level, you can also set permissions for MapR Tables in the file system directly if the software version of MapR does not have Access Control Support. The minimum software version that has Access Control Support is 3.1.

Access Control Expressions

Permissions for MapR Tables are defined by Access Control Expressions (ACEs). An ACE is defined by a combination of user, group, or role definitions. You can combine these definitions using the following syntax:

OperatorDescription
uUser ID of a specific user. Usage: u:<uid>.
gGroup ID of a specific group. Usage: g:<gid>.
rName of a specific role. Usage: r:<role name>.
pPublic. Specifies that this operation is available to the public without restriction. Cannot be combined with any other operator.
!Negation operator. Usage: !<operator>.
&AND operation.
|OR operation
()Delimiters for subexpressions.
""The empty string indicates that no user has the specified permission.

An example definition is u:1001 | r:engineering, which restricts access to the user with ID 1001 or to any user with the role engineering.

You can also combine subexpressions into an ACE, as in this example:

The ACE in this example restricts access to users satisfying either of the following conditions:

  • Has user ID 1001 and is a member of the admin group
  • Has user ID 1002 and has the deploy role and is either not in the test group or does not have the qa role.

Enabling ACEs on Your Cluster

If you upgraded to version 3.1 or later of the MapR distribution for Hadoop from an earlier version, ACEs are not automatically enabled. To enable ACEs, issue the following command:

# maprcli config save -values '{"mfs.feature.db.ace.support":"1"}'
Icon

After enabling ACEs for MapR tables, table access is enforced by table ACEs instead of the file system. On version 3.1 of the MapR distribution for Hadoop, newly created tables are owned by root and have their mode bits set to 0777. Starting in version 3.1.1, newly created tables are instead owned by the creating user and have their mode bits set to 0400.

Defining ACEs with the MCS using the Expression Builder

  1. To define an ACE for an existing table, click Edit Table Permissions from the table's pane in the MCS to display the Permissions pane.
  2. Click the arrow at the right side of any field to display the Expression Builder for that field.

  3. Use the + button to add a condition to the expression. Note that you cannot mix AND and OR without using subexpressions.
     

You can also type expressions directly into the field. The MCS validates expressions when focus leaves the field. The field is colored yellow for a warning and red for an error. Hover the cursor on the field to display the error or warning message.

Default Permissions

A new MapR table's permissions default to the UID of the user creating the table. The default column family permissions are specified at table creation time by the creating user.

Default Table Permissions

PermissionDescriptionDefault
packpermUsers with this permission can pack table regions.Creating user's UID only
bulkloadpermUsers with this permission can load this table with bulk loads if the table was created with bulk load support.Creating user’s UID only
adminaccesspermUsers with this permission can view and edit the permissions for this table.Creating user's UID only
splitmergepermUsers with this permission can split and merge table regions.Creating user's UID only
createrenamefamilypermUsers with this permission can create column families for this table or rename existing column families.Creating user's UID only
deletefamilypermUsers with this permission can delete column families from this table.Creating user's UID only
defaultversionpermUsers with this permission can change the default version for the table.Creating user's UID only
defaultcompressionpermUsers with this permission can change the default compression used on this table.Creating user's UID only
defaultmemorypermUsers with this permission can change the default setting of the 'keep in memory' attribute for column families in this table.Creating user's UID only
defaultreadpermUsers with this permission can change the default setting of the read permissions for this table.Creating user's UID only
defaultwritepermUsers with this permission can change the default setting of the write permissions for this table.Creating user's UID only
defaultappendpermUsers with this permission can change the default setting of the append permissions for this table.Creating user's UID only

Default Column Family Permissions

PermissionDescriptionDefault
versionpermUsers with this permission can modify the number of minimum and maximum versions to keep for this column family.Inherited from the value of defaultversionperm
compressionpermUsers with this permission can modify the compression level for this column family

Inherited from the value of defaultcompressionperm

memorypermUsers with this permission can modify the 'keep in memory' attribute for this column family.

Inherited from the value of defaultmemoryperm

readpermUsers with this permission can scan and get data from a column family.

Inherited from the value of defaultreadperm

writepermUsers with this permission can check, put, or increment data into a column family.

Inherited from the value of defaultwriteperm

appendpermUsers with this permission can change the append permissions for this column family.

Inherited from the value of defaultappendperm

Default Column Permissions

PermissionDescriptionDefault
readpermUsers with this permission can scan and get data from this column.If not explicitly set, inherited from the column family permission.
writepermUsers with this permission can check, put, or increment data to this column.If not explicitly set, inherited from the column family permission.
appendpermUsers with this permission can change the append permissions for this column.If not explicitly set, inherited from the column family permission.

Columns with permissions set explicitly must match the permissions of the column family they are in. Otherwise, the column is inaccessible.

Customizing MapR Table Access Control with User Roles

Roles are a label attached to a set of users that defines a common task or set of behaviors for those users. Roles enable you to use functionality similar to Unix groups for your users without requiring you to alter your system's existing group hierarchy. A role's name can be up to 64 characters long and cannot use the :&|, or ! characters. User roles are defined in the /opt/mapr/conf/m7_security_ref_impl.conf file, which must be identical across all nodes in the cluster. The m7_security_ref_impl.conf file has the following format:

After adding a new role to the m7_security_ref_impl.conf file, you must issue the following command to enable the MapR-FS layer to pick up the new role:

$ /opt/mapr/server/mrconfig dbrolescache invalidate

The Roles Library Shared Object and Access Control Expressions

By default, the roles library shared object libmapr_roles_refimpl.so is located in the /opt/mapr/server/permissions/ directory. This shared object uses the C++ syntax and contains the GetSecurityMembership class. Each time an object secured by an ACE is accessed, the MapR-FS layer calls the roles library shared object and checks the permissions of the entity requesting access against the contents of the roles file. The roles library shared object reads the roles file every 600 seconds. You can specify your own roles library shared object and specify the location of that object in the mfs.conf file.


  • No labels